Strip passwords when logging directory data

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Fixed
    • 2.3.4
    • Component/s: None
    • None

      If a DirectoryImpl object is ever logged using its toString method, it will output log messages containing all attributes without any filtering on the results. e.g.

      2011-03-25 12:14:23,510 INFO [main] [confluence.upgrade.upgradetask.EmbeddedCrowdSynchronisationUpgradeTask] doUpgrade Starting initial sync of directory: com.atlassian.crowd.model.directory.DirectoryImpl@c2b8eb[lowerName=upgraded atlassian-user ldap (ldaprepository),description=LDAP configuration upgraded from an existing atlassian-user configuration,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.MicrosoftActiveDirectory,allowedOperations=[UPDATE_GROUP_ATTRIBUTE, CREATE_GROUP, UPDATE_USER_ATTRIBUTE, DELETE_GROUP, UPDATE_GROUP],attributes={ldap.read.timeout=60000, ldap.user.displayname=displayName, ldap.pooling=true, ldap.role.name=cn, ldap.usermembership.use=false, ldap.search.timelimit=0, ldap.user.objectclass=person, ldap.group.objectclass=group, ldap.role.description=description, ldap.user.firstname=givenname, ldap.pagedresults=true, ldap.group.description=cn, ldap.group.usernames=member, ldap.user.group=memberOf, ldap.user.filter=(objectClass=person), ldap.user.username.rdn=sAMAccountName, ldap.password=*******, ldap.relaxed.dn.standardisation=false, ldap.secure=false, ldap.role.usernames=member, ldap.group.filter=(objectClass=group), ldap.user.username=sAMAccountName, ldap.group.dn=ou=Groups, ldap.user.email=mail, ldap.basedn=ou=UserBase,dc=corp,dc=hulu,dc=com, ldap.role.filter=(objectclass=group), ldap.roles.disabled=true, ldap.connection.timeout=30000, ldap.url=ldap://somecompany:389, ldap.usermembership.use.for.groups=false, ldap.referral=true, ldap.userdn=CN=Linux-LDAP,OU=ServiceAccounts,OU=UserBase,DC=corp,DC=hulu,DC=com, ldap.user.lastname=sn, ldap.pagedresults.size=100, ldap.group.name=cn, ldap.local.groups=true, ldap.user.dn=, ldap.user.password=unicodePwd, ldap.role.objectclass=group}]

      Note that the ldap.password in this example has been sanitised. Crowd should automatically do this whenever it logs a directory object - be it a DirectoryImpl or an ImmutableDirectory (should we ever add a toString implementation to that).

              Assignee:
              joe
              Reporter:
              Richard Atkins
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 1h Original Estimate - 1h
                  1h
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1.5h
                  1.5h